I just recently created a new app. Upon creating it, I added a custom domain, pointed the A and AAAA records to the IPs as directed, and successfully validated a wildcard SSL cert.
Oddly enough however, when attempting to curl to the site, I get the following error:
❯ curl -vvv -H "Host: MYDOMAIN" https://MYIP
* Trying MYIP...
* Connected to MYIP (MYIP) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to MYIP:443
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to MYIP:443
Similarly, browsers refuse to connect to the domain to being “unable to make a secure connection”. I’ve redeployed a few times thinking that it might fix some state within the load balancer infrastructure, but nothing seems to be working. At a bit of a loss as to what might be wrong or what I may have misconfigured.
Host header is not sufficient for us to determine the SNI (Server Name Indicator) to figure out which certificate to serve.
There are a few ways to test this without changing your DNS records to point to us:
- Add a
/etc/hosts entry temporarily for the subdomain you want to test (e.g
anything.your-hostname.com) pointing at the IP assigned to your account
curl -v https://anything.your-hostname.com --resolve anything.your-hostname.com:443:<your fly ip>
openssl s_client -connect <your fly ip>:443 -servername anything.your-hostname.com
I have confirmed your wildcard certificate is being served properly.
Thanks Jerome - it turns out my error came from the fact that I mistakenly believed a wildcard cert alone ( Wildcard cert: *.mydomain.com ) would also be applied for the root domain, such that mydomain.com would be served under the auspices of that cert. Your message made me double check myself, and I created a separate cert for the root domain ( mydomain.com ), and now everything works as I’d expect.
Thanks for the response!